How do I edit my chart count search returning HTTP...

mcvr · ‎08-28-2015

Hi All,

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

This is giving me the all the HTTP codes and the corresponding counts as below

Code Count

200 5000
404 1,321
500 8,888
301 9,102

I don't want the 200 and 301 codes in my result set. For this, I tried the below logic, but never worked. It still lists the 200 and 301.

I need something like:

Code Count

404 1,321
500 8,888

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" AND " 301 Bytes" AND " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

Data String I am searching against:

Time Taken: 120039666 URL_STRING: /shop/dept_outfit.jsp 11.111.111.11 - - [28/Aug/2015:02:54:20 -0700] "GET /shop/dept_outfit.jsp HTTP/1.0" 200 Bytes: 56814 "-" "Mozilla/5.0 (compatible; test/1.0; http://open.test.com/dev/test)";

Please advise.

FritzWittwer_ol · ‎08-28-2015

Thre is more than one way as in Perl 😉

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR" 301 Bytes" OR" 302 Bytes")|...

or

source="/export/home/gpiadmin/logs/access_log" NOT " 200 Bytes" NOT " 301 Bytes" NOT " 302 Bytes"|...

or even

source="/export/home/logs/access_log" | rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code | search NOT( status_code=200 ORstaus_code=301)

richgalloway · ‎08-28-2015

Try this:

source="/export/home/gpiadmin/logs/access_log" NOT (" 200 Bytes" OR " 301 Bytes" OR " 302 Bytes")|rex ".*?HTTP\/\d+\.\d+\" (?<status_code>\d+)"|chart count by status_code

---
If this reply helps you, Karma would be appreciated.

How do I edit my chart count search returning HTTP codes to filter out codes 200 and 301 from the list of results?

Code Count

Code Count

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life